open port on Cisco 520 Pix to allow us to connect to an ouside dealer systems

I have our Cisco Pix 520, and I need to make a change to allow us to connect to an outside dealers system.  I must preface I have little knowledge of programming cisco equipment I have learned by trial and error.

Here is the senario.  An outside dealer supplied us with a cisco vpn client and a profile.pcf that uses udp to connect to their internet server 68.153.9.86.  I can get connected to them just fine, but the next step of the process is that we installed on our workstations this emulator program that telnets to their unix box.  Outside vendor sees us connected to the vpn but no activity is showing and I can not connect to their unix box, the connection times out.  I receive an ip address when I connect to the vpn

He suggested that I open the firewall to allow 68.153.9.86
I am assuming inbound permit.  They are using port 5051 TCP/IP and 4500 UDP.
How can I configure our pix to allow this
Am I on the right track here or not

access-list inbound permit tcp host 68.153.9.86 any eq 5150
access-list inbound permit udp host 68.153.9.86 any eq 4500

should I also permit outbound as well?

I have logged in to the pix
config terminal
typed the above commands
cntl Z
but the changes do not appear when I do a sho config

I do not want to write to memory yet in case this does not work.

Any assistance would be appreciated.

juliewilliamsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressedout2004Commented:
The syntax of the access-list is correct. However, the only time you need to permit it outbound as well is if you have an existing access-rule on the inside interface. Other than that, all outbound traffic is allowed and are permitted back in without any need for any access-rule because of the PIX ASA.

I don't think access-rule is part of the problem unless you have an existing access-rule on the interface where the VPN client is being initiated from.

Once connected with the VPN client, can you atleast ping anything on the other side of the network? Also what type of NAT on the PIX does the PC you are using for VPN client connection have?
0
juliewilliamsAuthor Commented:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any host 38.119.238.84 eq domain
access-list inbound permit udp any host 38.119.238.84 eq domain
access-list inbound permit tcp host 38.119.238.81 host 38.119.238.84 eq cmd
access-list inbound permit udp host 38.119.238.81 host 38.119.238.84 eq snmp
access-list inbound permit udp host 38.119.238.81 host 38.119.238.84 eq syslog
access-list inbound permit udp host 38.119.238.81 host 38.119.238.84 eq ntp
access-list inbound permit tcp any host 38.119.238.83 eq smtp
access-list 50 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list outbound deny tcp any any eq 5050
access-list outbound deny tcp any 216.136.175.0 255.255.255.0 eq telnet
access-list outbound deny tcp any 216.136.131.0 255.255.255.0 eq telnet
access-list outbound deny tcp any 216.136.224.0 255.255.255.0 eq telnet
access-list outbound deny tcp any 216.136.225.0 255.255.255.0 eq telnet
access-list outbound deny tcp any 204.71.201.0 255.255.255.0 eq telnet
access-list outbound deny tcp any 216.115.105.0 255.255.255.0 eq telnet
access-list outbound deny tcp any 216.115.106.0 255.255.255.0 eq telnet
access-list outbound deny tcp any any eq 5190
access-list outbound deny udp any any eq 5190
access-list outbound permit tcp host 10.100.4.230 any eq 522
access-list outbound permit tcp host 10.100.4.230 any eq 389
access-list outbound permit tcp host 10.100.4.230 any eq 1503
access-list outbound permit tcp host 10.100.4.230 any eq h323
access-list outbound permit tcp host 10.100.4.230 any eq 1731
access-list outbound deny tcp any any eq 1731
access-list outbound deny tcp any any eq h323
access-list outbound deny tcp any any eq 1503
access-list outbound deny tcp any any eq 389
access-list outbound deny tcp any any eq 522
access-list outbound permit ip any any
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered warnings
logging trap debugging
logging history informational
logging host inside 10.100.0.21
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 38.119.238.82 255.255.255.240
ip address inside 10.254.254.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool wltvpn 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 38.119.238.83 10.100.0.72 netmask 255.255.255.255 10000
7000
static (inside,outside) 38.119.238.84 10.100.0.20 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 38.119.238.81 1
route inside 10.0.0.0 255.0.0.0 10.254.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server VPN-user protocol tacacs+
aaa-server VPN-user (inside) host 10.100.0.21 wltkey timeout 5
aaa authorization include tcp/0 outside 192.168.1.0 255.255.255.0 10.0.0.0 255.0
.0.0 VPN-user
aaa accounting include tcp/0 outside 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.
0 VPN-user
snmp-server host inside 10.100.0.20
snmp-server location Data Center
snmp-server contact Andy
snmp-server community wilft
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set normal esp-des esp-md5-hmac
crypto ipsec transform-set vpn3000 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 1800 kilobytes 10000
crypto dynamic-map wltmap 5 set transform-set vpn3000
crypto dynamic-map wltmap 5 set security-association lifetime seconds 32800 kilo
bytes 4608000
crypto dynamic-map wltmap 10 set transform-set normal
crypto dynamic-map wltmap 10 set security-association lifetime seconds 28800 kil
obytes 4608000
crypto map remote-user 20 ipsec-isakmp dynamic wltmap
crypto map remote-user client configuration address initiate
crypto map remote-user client configuration address respond
crypto map remote-user client authentication VPN-user
crypto map remote-user interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local wltvpn outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup WLTvpn3000 address-pool wltvpn
vpngroup WLTvpn3000 dns-server 10.100.0.20
vpngroup WLTvpn3000 default-domain wltc.com
vpngroup WLTvpn3000 split-tunnel 50
vpngroup WLTvpn3000 idle-time 3600
vpngroup WLTvpn3000 password ********
telnet 10.100.0.0 255.255.248.0 inside
telnet 10.253.254.0 255.255.255.0 inside
telnet 10.254.254.1 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
terminal width 80
Cryptochecksum:65e51c0099d85473faa7dedf20866c76
   

This is an older config file no longer being used because we have changed our entire ip structure.  Do you see anything that may not allow access to this vpn clients system.  We have our own vpn concentrator and connection - is there a chance our own internal cisco vpn connection is a problem?

Once I connect to this dealers vpn I get an ip address, but the only item I can ping is my own client address - I can not ping their unix box, and I can ping all of our devices which seems odd.  I also did a tracert on  68.153.9.86 and I get out fine.  

Also on our concentrator: This section lets you configure system-wide IPSec NAT Transparency.

IPSec over TCP  Check to enable IPSec over TCP.
TCP Port(s) 10000
--------------------------------------------------------------------------------
 
IPSec over NAT-T  - YES  Check to enable IPSec over NAT-T, which detects the need for UDP encapsulation in NAT/PAT environments, using UDP port 4500.

I am not sure if I am giving you the information you are looking for, I hope so.

Thanks
0
stressedout2004Commented:
>>>>>>This is an older config file no longer being used because we have changed our entire ip structure.  Do you see anything that may not allow access to this vpn clients system.  We have our own vpn concentrator and connection - is there a chance our own internal cisco vpn connection is a problem

--- That configuration should work just fine, you don't need to add any access-rule whatsoever. The concentrator shouldn't cause any issue, since it is a separate connection, different IP server and different IP pool.

>>>> Once I connect to this dealers vpn I get an ip address, but the only item I can ping is my own client address - I can not ping their unix box, and I can ping all of our devices which seems odd.  I also did a tracert on  68.153.9.86 and I get out fine.  

What do you mean our devices? Do you mean devices within your own internal network? If this is so,then that is normal.
Your dealer probably has split tunneling enabled.


Can you tell me what is the internal IP address of the PC you use for VPN client connection and what IP address is assigned to you?

After you get connected  to the VPN client, right click on the VPN client lock icon on the system tray and click on Statistics, once it opens, under the Tunnel details tab, on the Transport, what does it say under Transparent Tunneling? Does it say Active on UDP port 4500?
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

juliewilliamsAuthor Commented:
dealer does have split tunneling

internal ip for pc I am using is  10.100.7.229
When I connect to the dealer site I get the ip address of 192.168.240.11 or 192.168.240.20 subnet 255.255.255.0
Transport tunneling - inactive, local lan disabled.

While testing last night I was able to connect to this system from my home so the config is set up correctly.  Would I need to make any adjustments in the PIX to account for this vpn client connection?

Thanks

0
stressedout2004Commented:
You said that config file is no longer being used, so I am not sure how much of a difference that old running config
has to the new one. Can you look at your current configuration and tell me what kind of translation does the PC 10.100.7.229 have. Meaning does it have a static translation or is it being PATted? Just do "show static" in the PIC
and try to see if you find your PC's IP address being statically NATted.

The reason I ask, is because if the PIX is doing PAT (port address translation) and the PC you are using is being
PATted with transparent tunnelling inactive, the VPN Client will connect but not be able to pass traffic. There's
two ways to get around this if this is the case;

1) Enable transparent tunneling on the VPN server side
2) Enable the command "fixup protocol esp-ike" on the PIX. However you can only do this if the PIX itself is not
configured to terminate VPN connection as well.



0
juliewilliamsAuthor Commented:
The onlything in our current config that has changed compared to posting are the ip addresses everything else is the same.  When I do a show static in the PIX  it only shows the following

static (inside,outside) 207.250.121.243 10.100.0.72 netmask 255.255.255.255 1000
0 7000
static (inside,outside) 207.250.121.244 10.100.0.20 netmask 255.255.255.255 0 0
This is exactly what is happening.

The reason I ask, is because if the PIX is doing PAT (port address translation) and the PC you are using is being
PATted with transparent tunnelling inactive, the VPN Client will connect but not be able to pass traffic.


I have a cisco 3000 concentrator how is transparent tunning turned on?  In the  Configuration | Tunneling and Security | IPSec | NAT Transparency section both
IPSec over TCP is Checked to enable IPSec over TCP.
TCP Port(s) 10000  and
IPSec over NAT-T  is Checked to enable IPSec over NAT-T

As a side note, our vpn client connection (not the dealer connection I am having trouble with) does show in the statistics screen that transparent tunneling is active through UDP 4500 when I connect to our system.

For option 2 how would I know if PIX is configured to terminate VPN connection.  As I mentioned kinda of a novice in the cisco pix area.

 
0
stressedout2004Commented:
Ok, let's step back a little. Don't confused your VPN client connection to the concentrator and that of your dealer. They are two different connection. Now regarding transparent tunneling on the 3000 Concentrator, it is enable since both the IPSEC over NAT-T and IPSEC over TCP are checked.

Where is this concentrator located? Is it behind the PIX?

To check if your PIX is configured for VPN connection, just do a "sh run | include crypto" on the PIX where | is a pipe sign. So basically just look at the config and see if there is any configuration that starts with the work crypto map. Like:

crypto map remote-user 20 ipsec-isakmp dynamic wltmap
crypto map remote-user client configuration address initiate
crypto map remote-user client configuration address respond
crypto map remote-user client authentication VPN-user
crypto map remote-user interface outside

If you have a VPN concentrator in your system, I don't see any reason why you would configure the PIX to terminate VPN
connection as well.
0
juliewilliamsAuthor Commented:
Thanks for being so patient.
Our PIX is a bit out of date, and can not like our routers, do a sho run|include crypto.  I can do the sho config and those lines are present in the config file.
If I type
sho crypto map

Crypto Map: "remote-user" interfaces: { outside }
        client configuration address initiate
        client configuration address respond
        client authentication VPN-user

Crypto Map "remote-user" 20 ipsec-isakmp
Dynamic map template tag: wltmap        

The concentrator is behind the pix
0
stressedout2004Commented:
Ok do this command:

sh crypto isa sa

That will tell us if anybody is using the VPN. Post the output.






0
juliewilliamsAuthor Commented:
inet-fw# sh crypto isa sa
Total     : 0
Embryonic : 0
        dst            src         state     pending    created
inet-fw#
0
stressedout2004Commented:
Alright, do the following command on the PIX under config mode [pix(config)#]:

no crypto map remote-user interface outside
no isakmp enable outside
fixup protocol esp-ike

Try the VPN client connection after that and see how it works.
0
juliewilliamsAuthor Commented:
I appreicate all of your assistance in this matter.  

I have one problem with the above commands it is looking for a port number on the fixup protocol, but I dont know which one to use?  My next question is after I do a cntl Z at the end of the 3 commands should I see the changed when I run a sho config or do I have to do a write mem?

Thanks
0
stressedout2004Commented:
It's looking for a port? What version of the PIX are you running? Do a "sh version" and you should see something like:

Cisco PIX Firewall Version 6.x
Cisco PIX Device Manager Version 3.0(3)

The configuration changes should reflect right away, you don't need to do wr mem. Don't do show config as it will show you the configuration on the flash and not the current config. Do a "sh run" instead.

0
juliewilliamsAuthor Commented:
Cisco PIX Firewall Version 6.1(1)                                      
Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 350 MHz                        
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00d0.b713.bdd3, irq 11
1: ethernet1: address is 00d0.b713.be5b, irq 10

Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Inside Hosts:   Unlimited
Throughput:     Unlimited
ISAKMP peers:   Unlimited

the sh run command does not work on this version - It appears this PIX has not been updated for quite some time so not patches have been done since 2001.  
0
stressedout2004Commented:
The fixup protocol I gave you requires 6.3, that won't work in your setup until you upgrade. You are better off upgrading this PIX.

Ok now our option is very limited. The problem with your setup is that the PC you are using is being PATted on the PIX, meaning you are sharing a public IP among the other users on your internal network. IPSEC has problems going thru PAT wherein after VPN is established, you won't be able to pass any traffic (which is what you are experiencing) which is why they have developed NAT transparency. Here is what you can do:

1) If you have a spare public IP, you can do a static NAT on one of the PC and use this PC to connect to the VPN.

2) Call your dealer and ask them what kind of VPN server they have and if they have NAT transparency enabled and what port is it on.

Now, are you willing to do a quick test with me. I have a PIX terminating VPN connection I use with lab testing. I will give you an IP to connect to and the VPN profile. I have NAT-T enabled on the PIX, which means you should be able to get through.




0
juliewilliamsAuthor Commented:
I can do this test with you.  I have left a message with the dealer, I hope to get a response back yet today.
0
juliewilliamsAuthor Commented:
Dealers response to item 2.

  It's a cisco concentrator a 3000 series
However, Nat-t is not enabled on their side
0
stressedout2004Commented:
I thought so. You definitely need NAT-T to be enable on their side. Is this something they are willing to do?
I will give you an IP and profile to connect to. Do you know how to create a profile on the VPN client?
0
juliewilliamsAuthor Commented:
The dealer is not willing to make this change.

I want to get you off the hook here and I believe I will be looking at replacing our current PIX, it was scheduled for 2006 anyway, so I will just move it up a bit.

You have been just outstanding and patient.  Thank you for all of your hard work.  You have just given me another reason to upgrade.  This is not the only reason for the decision, I have only 10mb ports anyway and it due for replacement.

Thanks again.  I will accept the last answer and the 500 points.
0
stressedout2004Commented:
Ok then. Good luck. Im just happy to help.
But just for the record, your dealer is very wrong for not implementing NAT-T. Not all people has the luxury of
having a public IP and by not doing transparent tunneling they are not giving many customer an option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.